Nobody Likes a Compliance Audit… and Why You Should Do Them Anyway!
What Is a Compliance Audit?
A compliance audit is an examination of documentation, records, or other evidentiary artifacts that use a specific set of regulatory controls to determine compliance. There are many different types of compliance audits including financial, technical, and cybersecurity audits. Common compliance audits include HIPAA, PCI-DSS, and SOC.
Why Do I Need a Compliance Audit?
Audits are necessary to determine whether an individual, company, or organization is meeting the requirements of a specific set of regulations or controls. Audits are a way to obtain specific information on the status of something, or on the level of compliance, something has when compared to a set of controls. Audits are often performed in one of three ways: Internal audits are performed by an organization looking to check on compliance or performance of their personnel or systems, independent audits are conducted by an impartial third-party, and regulatory audits are performed by a representative or agent of a regulatory agency (like the much-dreaded IRS audit).
Since certain regulations can impose steep financial penalties or other negative sanctions for non-compliance on both organizations and employees, it is extremely beneficial for organizations to routinely have compliance requirements verified and conduct audits to ensure continued compliance.
What Kinds of Audits Will Help Improve My Organization’s Security Posture?
Many companies and organizations are concerned with security breaches and the loss or theft of sensitive client data. Regulatory agencies are requiring stricter controls for personal and healthcare related data, and fines and penalties are not the only negative repercussions of a data breach. The loss of customer confidence and damage to the company brand that occurs after client data is compromised can have dire, long-lasting consequences for an organization.
Cybersecurity audits that look for specific regulatory compliance, such as HIPAA or PCI-DSS, should be performed regularly either internally or by an independent third-party. Vulnerability assessments and penetration tests can help to support these compliance audits, by testing an organization’s systems and networks and looking for ways to exfiltrate sensitive data. Audits against industry best practices and standards, like the Center for Internet Security’s 20 Critical Security Controls, can also greatly assist an organization in developing comprehensive, robust security practices to protect their data and their networks.
When Should I Perform an Audit?
Audits should be performed as regularly as possible, but at the very least annually. Regular audits will help to reduce the amount of work and time needed to remediate areas of non-compliance. Regular audits also help organizations develop sound organizational practices that improve compliance, security, performance, and efficiency. Audit results help to illustrate areas in an organization that need improvement, or present vulnerabilities that need to be addressed.
Internal audits, or those performed by an independent third-party, can also help an organization prepare for an audit conducted by a regulatory agency. No one likes to be surprised by the findings of a regulatory audit, and routine audits can help prevent being blindsided during an official audit.
How do I know who to choose to conduct my audit?
Some audits require specially trained or certified auditors, while others do not have any such requirements. Auditing is a specialized skill, that requires attention to detail, a thorough understanding of the regulations or controls used in the audit, analysis and documentation writing skills, and the ability to provide remediation guidance that will help an organization achieve its compliance goals.
Select a company who has personnel that have developed and refined these skills, and who regularly provide these services to their clients. Companies that can provide complementary services, such as penetration testing, vulnerability assessments, or documentation creation and remediation services, can allow an organization to maximize its efforts in obtaining compliance before it faces a regulatory audit.
What Should I Do to Prepare for a Compliance Audit?
The first step in preparing for a compliance audit is to do a little homework and learn what the compliance controls for the audit are, and how compliance will be determined. If the audit checks for compliance with the written policies, procedures, or other supporting documentation used within your organization, make sure that you have written documentation to provide to your auditor. During an audit is not the best time to discover that all your company procedures are “tribal knowledge”, or that Bob in the IT department is the only one who knows how the network architecture for your organization is designed.
Provide your auditor with the documentation or artifacts that they request, and be prepared for a few follow up requests when they finish the initial audit and want to verify any gaps or missing components. Some organizations create a secured, shared folder system to allow the auditor to access the necessary documentation without having any sensitive or proprietary information leave their network. Talk to your auditor about any security questions or concerns that you have before and during the audit. If additional departments or personnel within your organization need to provide documentation or artifacts, gather them all and place them in a centralized location for your auditor. This will greatly streamline the auditing process, and help to avoid any documents or artifacts from being missed during the audit.
Great! My Audit Is Over! I Can Relax Now, Right?
Congratulations on completing your audit!!! Now that it is over, be sure that you understand the audit findings and remediation suggestions. Develop and implement steps to correct all areas of non-compliance. This may mean that missing policies or procedures need to be written, or that configuration changes may need to be made to your organization’s systems or network. Additional controls might need to be implemented, and employee awareness training may need to occur.
Audits should be performed continuously
Compliance audits are a circular process. There are always new versions of the requirements that come out, and most compliance must be recertified or verified on a regular basis. Know the specific requirements for your audit, and be sure to continue to enforce compliance even after a formal regulatory audit has been conducted. Preparation, cooperation, and vigilance are the keys to a successful audit. Whatever your compliance audit results are, you can use the findings as a roadmap to achieve the compliance desired by your organization.
Jana White is a Cybersecurity Engineer and Trainer with Alpine Security. Her certifications include Security+, CyberSec First Responder (CFR), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), and Certified Information Systems Security Professional (CISSP). Jana’s background experience includes compliance, auditing, loss prevention, penetration testing, project management, and social engineering. Jana is certified as a Crime Scene Evidence Technician, and incorporates her experiences in banking and Crime Scene Evidence collection into her courses as a trainer for Alpine Security. In her spare time, Jana is a member of the 501st Legion, an international Star Wars costuming organization that focuses on promoting an interest in Star Wars through screen accurate costuming, and performing charity work and volunteering all over the world. Her current armor sets include Captain Phasma from The Last Jedi, and a Stormtrooper from A New Hope. She is working on joining the Rebel Legion, as General Leia Organa. Jana also studies Japanese, with the hope of passing the JLPT N1 exam someday.